By David_Rothstein on
Change record status: 
Published (View all published change records)
Project: 
Drupal core
Introduced in branch: 
8.x
Issue links: 
https://www.drupal.org/node/606598
Description: 

In Drupal 7, the image_style_options() API function returns sanitized output by default, appropriate for insertion directly into an HTML page. When image style labels were added in Drupal 7.23, an optional PASS_THROUGH parameter was added to this function to skip sanitization in cases where it is unnecessary.

In Drupal 8, the sanitization has been removed, and it is up to the calling function to ensure that the output is sanitized when required.

Example involving select lists

Drupal 7:

  $form['image_style'] = array(
    '#title' => t('Choose an image style'),
    '#type' => 'select',
    // The PASS_THROUGH parameter is used to prevent image_style_options() from
    // double-encoding the human-readable image style name, since the form API
    // will already sanitize options in a select list using check_plain().
    '#options' => image_style_options(FALSE, PASS_THROUGH),
    ...
  );

Drupal 8:

  $form['image_style'] = array(
    '#title' => t('Choose an image style'),
    '#type' => 'select',
    // The output of image_style_options() is unsanitized, so we just let Twig
    // autoescape run it through Html::escape() for us.
    '#options' => image_style_options(FALSE),
    ...
  );

Example involving radios or checkboxes

Drupal 7:

  $form['image_style'] = array(
    '#title' => t('Choose an image style'),
    '#type' => 'radios',
    // The PASS_THROUGH parameter is not added in this case, since the form API
    // does not run radio button labels through check_plain(), and we therefore
    // want to allow image_style_options() to do so.
    '#options' => image_style_options(FALSE),
    ...
  );

Drupal 8:

  $form['image_style'] = array(
    '#title' => t('Choose an image style'),
    '#type' => 'radios',
    // The form API does not run radio button labels through Html::escape(), so
    // because they are intended to be plain text we need to do it ourselves. (Note
    // that https://www.drupal.org/node/2568647 may make this unnecessary in
    // the future, since it proposes treating radio and checkbox labels as plain text
    // by default.)
    '#options' => array_map('\Drupal\Component\Utility\Html::escape', image_style_options(FALSE)),
    ...
  );
Impacts: 
Module developers